MITRE ATT&CK Technique T1503: Credentials from Web Browsers
The October 2019 ATT&CK release from MITRE includes updates to techniques, Groups, and Software for both Enterprise and Mobile. The biggest change is the addition of cloud-focused techniques which include 36 new and updated techniques covering adversary behavior against cloud-based platforms. We are pleased to announce that T1503: Credentials from Web Browsers contributed by the Exabeam team has been added to the ATT&CK knowledge base.
Introduction
Many popular Internet browsers provide users the ability to save login credentials, such as a username and password. Saving your login information can simplify the login process for frequently visited websites. Yet, an adversary can place a backdoor and get access to a compromised computer to dump all the encrypted data stored in the web browser. What’s worse? Usually people have the same password across multiple platforms, and adversaries can retrieve the credentials from the collected web browser data and attempt brute force attacks for different accounts.
In the past, few malware have boasted the capability to steal browser-stored credentials. One of them is trickbot, which was updated last year and included a pwgrab32 (password grabber) module which checks for credentials, cookies, autofills from popular web browsers like Chrome, Firefox, Edge and Internet Explorer. Similarly, Vega Stealer which is written in .NET steals browser stored credentials and financial information and checks for key3.db” “key4.db”, “logins.json”, and “cookies.sqlite in the Firefox user profile. As can be seen from past attacks, adversaries are more curious now about browser data as it provides a wealth of information.
If we take an example of the most popular browser, Google Chrome, encrypted passwords are stored in the sqlite database file in “%APPDATA%\..\Local\Google\Chrome\User Data\Default\Login Data”. Below are the steps Chrome performs while storing the password (code snippets from chromium GitHub).




Decryption
Detection

How to keep your passwords safe
Conclusion